“Look, you wanna be elite? You have to do a righteous hack.”
This entire episode we pay tribute to the movie “Hackers” with quotes all throughout the programming. This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and my guest co-host Roland Cloutier (@CSORoland), CISO, TikTok. Joining us in this discussion is Steve Tran (@steveishacking), CISO, MGM Studios.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to this week’s podcast sponsor, Code42
Full transcript
Hackers Clip
A recent unknown intruder penetrated using a superuser account, giving them access to our whole system.
Hackers Clip
Precisely what you’re paid to prevent.
Hackers Clip
Someone didn’t bother reading my carefully prepared memo on commonly used passwords.
Voiceover
It’s time to begin the CISO Security Vendor Relationship Podcast.
David Spark
Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I’m the Producer of the CISO Series and joining me as a guest co-host for this very episode is Roland Cloutier, the CISO, over TikTok. Roland make your voice heard.
Roland Cloutier
Hello everyone, glad to be here and David looking forward to this episode.
David Spark
This has been a long time planning, I’m thrilled to do it. We were originally supposed to do this in front of a live audience at the Vidcon Conference but because of unfortunate covid issues, the whole Vidcon Conference got canceled. Regardless, we’re doing this now. We are available at the CISOseries.com and that’s where you could find out about all our programming there. I do want to mention that we have an awesome sponsor for today’s episode who’s been phenomenal with us, they are Focus on inside risk and the non-malicious kind of insider risk which is often the majority of insider risk you’re seeing, they are Code42. More about Code42 later in the show.
David Spark
Just last week the cybersecurity subreddit had a thread asking “What was your favorite hacker movie?” and the movie Hackers came up again and again. Now the clip you just heard at the beginning of the show is from the film and here’s a great quote from this discussion about Hackers the movie and I think this summed it up perfectly: “Hackers is one of if not the best hacker movie of all time, I know it doesn’t portray hacking accurately like at ALL but man it’s just pure fun and honestly defines the 90s.” So Roland, for this episode I finally watched Hackers and I can’t believe I hadn’t seen it before. It’s got other great lines like this.
Hacker Clip
“Yo, check this out guys, this is insanely great. It’s got a 28.8 bps modem.”
David Spark
So Roland when was the last time you were actually excited about a 28.8 bps modem?
Roland Cloutier
I got to tell you I think it was like probably 98, 99 before, you know, the big cable company started bringing in high speed data and I was rocking a proxy DotA server with duel 28.8 modems on the back going through like a red hook vpn concentrator back to work and I thought I was a meow man and it was super fast. Now I got a gig at the house, you know.
David Spark
I know. What was funny is I remember I was talking to another tech reporter that a lot of people know, Leo Laporte, and he had one of these, you know, early sort of virtual streaming kits and essentially they doubled up to 28.8 baud modems to allow him to stream video which is a little choppy at that speed, to say the least. I remember we went along with, you know, postage stamp size video with like four frames a second, it was awful.
Roland Cloutier
Yeah or we were doing, you know, like command and control work remotely, you know, in the middle of the night when things broke and we had to dial in and have high bandwidth to do searches and do some forensic stuff, you know, when I was a line worker doing intrusion work and, you know, you didn’t have time to get in the office, you had to jump on and you needed that bandwidth man and it worked.
David Spark
28.8 got everything, better than 14.4, doubly as good.
Roland Cloutier
I remember that. I played one of those noises for my youngest daughter who’s in university now because, you know, I’ve seen the things on TikTok, it’s very funny when parents play that sound, she had no clue, no clue what that noise was at all. It was funny.
David Spark
Well even worse is when people show kids a rotary phone, have you seen them react to that? That’s interesting. Well I have to say thanks to, the reason we’re playing all these clips from Hackers is because it’s a film from the MGM Studios and guess who we have as our guest today, it is the CISO from MGM Studios, Steve Trans. Steve thank you so much for joining us.
Steve Tran
My pleasure, thanks for having me, super excited to be here with you both.
Roland Cloutier
And let me also mention to both Roland and to Steve that in lieu of the traditional bumpers that we usually play on the show, we’re going to be
playing clips from the movie “Hackers” in honor of our guest. So thank you.
We caught him by surprise
00:04:36:11
David Spark
We protect our networks to protect our data. We train users about security to protect our data. We spend fortunes on identity systems to protect our data. Data is ultimately what we’re protecting, Roland. How have you started thinking about protecting data differently cause the way I see it there’s so many sort of vectors, unprotecting data rather than me sort of generic thinking of protecting data, I mean there are the issues of better classifying sensitive data or just classifying all data like knowing what sensitive and what’s not, self-destruction of data, end of life of data and better tracking of data. This is just to name a few. How are you thinking about the sort of the new way of protecting data?
Roland Cloutier
All of it and then some. You know David all kidding aside I think, you know, you kind of hit the most critical part of my job. We used to be focused on just core areas of network defense, system defense, operating, you know, defense and at the end of the day it’s all about data and especially as data grows, becomes monetized and you think about the way that different regulatory considerations and requirements are different around the globe, you have to have a platform and a technology infrastructure that supports that. So really, you know, the focus right now from our perspective is how do you enable this concept of digital regionalization and that starts at an infrastructure level. So how do you take in data, how do you tag data, how do you have infrastructure capability to look across structured, unstructured areas to be able to identify what data is, where.
Roland Cloutier
I think where this world really needs to go and our industry really has to pick up the paste is around data lineage identification. I mean when we were doing business impact analysis for a privacy defense work we, you know, spent a lot of time doing data flow analysis, where does the data go but the concept there is very difficult, I mean that’s a high level comes in through an app, goes to a repository, gets transferred to here, gets cleaned out here but I mean the reality of that impractical application, impractical data defense is just not reasonable. I mean you have to be able to at any given time and through identification of data elements themselves understand how it moves, how it gets copied, what are the permission supposed to be, how do you catalog that and how do you use that in multiple tiers of technology to put enforcement and maybe that enforcement is auto destruction as you said earlier right or auto delete.
David Spark
But just end of life in data because not all data deserves to stay alive forever.
Roland Cloutier
Exactly, exactly. But it should also knows who can see that data, you know, not just who can have access to it but what region should it be in or not in. How do you anatomize, sooner automize, how do you things like data de-identification so data can be used appropriately. Like all of those things needs to be taken into consideration in order to actually have what I would call a next generation data protection system.
David Spark
Let’s take this over to you Steve. Steve have you A. been thinking about dealing with data like this and how difficult is it? You’re with MGM, you’ve got a much deeper longer library than TikTok does, again, you know, possibly TikTok is generating so much media they probably have a lot more than MGM does these days but I also know the complications of like making a film. I mean we’ve talked about this before is there is sort of disparate data sources coming in and managing and then classifying, how other people are managing and classifying becomes highly complex, yes.
Steve Tran
Oh absolutely. It’s not just the finish product, it’s everything leading up to that, we call it the value chain. And the value chain is very complex in itself because it starts from alright they have an idea, what is that idea, script writing, planning, development, all that stuff and then it goes into pre-production, then production, then post-production and then everything after that.
David Spark
And then all the people who are involved, who have parts of the film that they’re dealing with, so they all have different assets at different levels and we’ve talked about this before and they’re often using kind of the wrong platform sometimes to do this and you have to sort of make sense control this, yes.
Steve Tran
Oh yeah the creators want to use the tools that they want to use and every creator is different.
David Spark
So what is your data classification, just to close out this segment now, what is your struggle now as you’re sort of looking at protecting data and what’s unique to the way, you know, to the way you operate?
Steve Tran
I look at it in two different perspective, one from a corporate perspective, things that are easy to classify like financial documents, contract documents, things like that, then you have media assets which are harder to classify and those could be in the millions right because it’s all the unused footage or the used footage or marking tiers, trailer cuss, things like that. From that perspective I’m looking at it from the perspective of identity versus the number of assets that could be exposed or shown this way that’s great visibility too but everything Rolandsaid really resonated because how do you get that visibility in the whole life cycle visibility. So for me I’m trying to see if I could track back at the identity level just from what I discovered. Sometimes it’s not about the amount of things that are at risk but who is the cause of that risk and is it a particular person or a single department that is responsible, you know, for the majority or that or maybe it’s more a percentage and to me that tells a better story.
You wanna be elite? You gotta do a righteous hack.
00:10:20:19
David Spark
On Twitter, Bryan Liles asked the question, “What is the biggest scam in tech that is deemed acceptable?” Now lots of great answers here like paying for products with personal data, that’s super common. Having to pay extra to use MFA and I’ll so throw in having to pay extra for SSO. The need for a CISSP or that you need a degree to enter a vocational job of cybersecurity. The planned obsolenceof products and that’s been going on forever and
unlimited paid time off or unlimited PTO. So I’ll start with you Roland. What do you think is acceptable that shouldn’t be and have you had a plan to change it?
Roland Cloutier
Oh man what a list.
David Spark
And by the way do you agree with the list so far?
Roland Cloutier
I think there’s some interesting things in there. You know one that I like though, the one that I agree is the need for CISSP or you need a degree to enter vocational job. I think there’s alternatives and we as security leaders we really need to adjust that. That could be like a whole other session David on how do you create, you know, and close the gap in the three million open positions insecurity risk and privacy operations in this career field, if you stick with the line, you know, you got to have assist and, you know, a post-grad degree.
David Spark
But let’s go back to the issue at hand though of is there anything that’s sort of deemed acceptable that we’ve all sort of accepted like hey we’ve got to stop agreeing to this.
Roland Cloutier
You know to me it comes down to like the SDLC and this concept that you can’t check all code right, like you got to live with a certain level of not just vulnerability but just negative code attributes within the product.
David Spark
And you’re saying that we’re accepting that.
Roland Cloutier
Yeah we’re accepting that. Too many companies don’t invest– and here’s the problem. We have this concept called, you know, CQI, continuous quality in 9000 series and ISOs and so in other parts of our businesses we said quality is job one. When it came to code all of a sudden, well if it’s a problem it’s probably a security thing and we can live with a certain acceptable level of risk and there’s some truth in that, but the reality is if you have a focus on quality end code, if you have a focus on understanding how your product is going to be used, your code should be written, who should have access and all of those sort of things that would do in a security and privacy by design program or an SDLC, you wouldn’t accept that.
Roland Cloutier
And so, you know, one of the things that when I talk to other folks in this industry and peers that I struggle with is is when it’s just written off, like yeah it’s just the way it is, you’ve got to find it, you know, and post compile code analysis and go back and develop a vulnerability, it’s like we’re allowing people to do sloppy quality and not integrating security as a component of the quality that they’re being paid to build and I don’t get it, and I don’t understand it, and I don’t agree with it.
David Spark
That’s a good argument. Alright Steve I’m going to just throw this to you. Do you have something from list you agree with? Do you have a different thing? Like what is the thing that we all accept that we should stop accepting?
Steve Tran
Having to pay extra to use NFA and SSO, that is my biggest pet peeve. Why do I have to pay extra for those security fundamentals?
David Spark
That’s a good point. Now I’m going to say this. There is site and we’ve talked about this before called the SSO Wall of Shame where they expose the companies that are charging and they try to keep it, although haven’t been updated in a while, try to update like what they’re charging people to use SSO. I’m going to just play a little devil’s advocate here in that I know this usually refers to non-security companies implementing MFA and SSO but people charge for a security service so could this be seen as this is just a security service you’re having to pay for? Or how is it different?
Roland Cloutier
This is bad management. So I’m sorry, I’m going to jump in here.
David Spark
Okay jump in Roland.
Roland Cloutier
Listen this is bad management. I mean what is the end result of non 2FA right breaches ATOs, privacy disclosures, notices from companies out for disclosure then you have credit impact to the consumer, you have fines that these companies have to pay, they have to do investigations right. What’s the cost of 2FA right? What’s the cost of OTP and SMS-enable, you know, authentication products within their own environment? Most of the code is free these days to be able to do it and you can cross collaborate with, you know, organizations like Google and Amazon and others and Microsoft that will allow you to use their infrastructure as a generalized mechanism that is accepted by consumers today and you’re going to charge for it. Like you’re saving yourself money when you institute it, organizations look at the risk of it.
David Spark
This exactly what Mailchimp does. Mailchimp implemented MFA and this is what’s their incentive. They gave you, you know, just a few dollars per month incentive if you employed MFA they would reduce your monthly charge which that’s the way to do it, take it in the opposite direction. Steve so your complaints on MFA/SSO,I’m assuming it echoes what Roland just said.
Steve Tran
Absolutely, well said Roland,
David Spark
We’ll wrap it up there. Awesome.
Hackers Clip
“You need an army.” “That’s it, an electronic army”. If I were us I’d get on the Internet, send out a major distress signal.” “Hackers of the world unite.”
Sponsor – Code42
00:15:40:21
Steve Prentice
Teaching how to develop more secure habits is vital to a company’s overall risk management strategy but often the teaching opportunities are scheduled way too far apart and are not relevant enough. Mark Wojtasiak Vice President of Research and Strategy at Code42 explains why situational training is a far better option.
Mark Wojtasiak
When we think about proactive lessons, lessons that you might do once or twice a year and those are kinda standard, that’s the way we’ve always done security awareness training but often times inside a risk to data is posed unpredictably, so we develop situational training in order to pro-actively inform employees that are departing or that are coming on board of what their rights are with corporate data and we deliver this training in bite-size chunks. They’re very user centric, user friendly, the tone of them, the look and feel of them, the presume positive intent, providing employees the reason why it’s important.
Steve Prentice
These are delivered in a human to human short video format as well as info graphics.
Mark Wojtasiak
We’re not about to send employees five minute videos every time they do something unsafe, we’re taking 30 seconds, 40 seconds. We have one mantra teach don’t preach, be helpful. It’s not about reprimanding employees, it’s about helping them make the right decisions and can mean a lot and changing employee behavior.
Steve Prentice
For more information visit code42.com/instructor.
It’s time to play ‘what’s worse?’
00:17:31:04
David Spark
Alright this is the most popular game on our show the What’s Worse game and I have got a really good one for the two of you and this comes from Eric Blot of Sprinkler and he asks what’s worse, having the best sim and team without any plan or strategy on how to use it or, and by the way Roland you’re answering this first, or you have a bad sim with a skeleton team but you actually have a comprehensive detection strategy. So as always both of these think which one from purely risk management perspective is worse.
Steve Tran
Oh two, absolutely two. I mean listen I hate to sound like a horrible manager but you can always get rid of your people and get the right people and put them in place.
David Spark
This is the how the what’s worse scenario, this is what you get. The team does not disappear.
Roland Cloutier
Yeah you know from my perspective if you have access to the information.
David Spark
Which by the way in the first scenario the team is still is good. No so the second one is worse, I’m sorry, because it’s a skeleton team.
Roland Cloutier
Yeah so my position is you can’t do anything if you don’t have data. If you don’t have transparency into the environment you don’t have visibility, you don’t understand what’s happening, you can’t collect that information, you can never go back. So I would rather grow my capabilities on with a way to respond and with a mechanism by which to train the people how to use the information over time but have access and visibility into that environment.
David Spark
No but the point is, [INAUDIBLE] you know that’s never going to happen. In this scenario you don’t ever have a plan or strategy on how to use– yeah it happened.
Roland Cloutier
Half empty buddy, you’re half empty, I’m telling you.
David Spark
So the idea is there is something good that’s running but essentially you’re not doing anything with it, essentially it’s the first scenario but you’re still taking the second scenario bad sim skeleton team but you can do something with it.
Roland Cloutier
Yeah.
David Spark
That’s worse, okay.
Roland Cloutier
I think so.
David Spark
Alright. I throw this to you Steve, do you agree or disagree?
Steve Tran
Oh that’s a tough one. I kind of agree and disagree.
David Spark
You know you got to pick one or the other. This is how this game works.
Steve Tran
Wow this is horrible, so.
David Spark
That’s the idea.
Steve Tran
This is like my [UNSURE OF WORD] right here right. First option I’d rather have the visability even if we don’t have anyone that has a [UNSURE OF WORD] and can make use of it because I can always be retroactive right. Some thing’s better than nothing. Then the second scenario well that’s because you don’t know what you don’t know right. You can have awesome people but if they don’t have the right [UNSURE OF WORD] in front of them.
David Spark
But the scenario you do, it’s a skeleton crew, it doesn’t say they’re bad, they’re just a skeleton crew but you’re actually doing something. The difference is in the second scenario you’re actually doing something with bad data. With the first scenario you’ve got good data but you’re doing really nothing with it. So doing something with bad data is that better or worse than doing nothing with good data.
Steve Tran
You know I think that’s probably worse, I think that could be worse right, working with bad data is worse.
David Spark
Which one, I’m sorry, which one is worse?
Steve Tran
The second, I would say the second, working with bad data.
David Spark
So you’re agreeing with Roland on this?
Steve Tran
Right.
David Spark
So doing something with bad data is worse than doing close to nothing with good data.
Steve Tran
Oh you’ll probably be causing more damage, more trouble right with that info.
David Spark
Good point.
Try the back door.
00:20:46:14
David Spark
On LinkedIn, Dan Lohrmann of Security Mentor published an article he wrote for Government Technology arguing yet again the need for a convergence of security between physical and digital. I’m going to throw to you first Steve on this one. It seems obvious they should converge and I’ll offer this argument why I believe it’s not happening. I think it’s fear from the physical security community. They know cyber is eating their lunch in terms of importance and visibility and the people who work in physical security are generally older and know far less about cyber and I know that’s not universal but I’m just saying generally. Now I actually saw this first hand at a physical security conference where there were just a few cyber sessions and they were being taught at the really the most basic like 100 level. So Steve why do you think we’re still talking about physical and digital convergence?
Steve Tran
I think it’s all about awareness. I think a lot of times it’s educating the organization and the security leads,both physical and cyber to understand the importance of convergence. Because from my perspective as a CISO I’m trying to elevate our role here, moving away from being just the cyber, you know, experts. We’re speaking the language of risk and goes beyond technology nowadays, right, it’s people and processes too as well.
David Spark
And the people live in a physical world.
Steve Tran
Right, exactly right. And even in the movie Hackers you could see not everything they do it’s technology base right, there’s socio engineering going on. Even if you watched all the popularmovies of a scam artist right cause we another great movie called The Hustle right, that whole movie is just based off of socio engineering, you know, and all of the fun movie, action movies that we like, sneaking into places, those are all socio engineering attempts.
David Spark
Let me ask you, I’m going to do a slight diversion and I’ll ask you too Roland but I’m starting with you Steve, how much do you think one can learn about cybersecurity just watching Hollywood movies? How far could one get?
Steve Tran
I think the farther you can get is knowing that this danger exist.
Roland Cloutier
Okay.
Steve Tran
But there’s a lot of bad stereotypes too as well and I think that plays a huge problem with people trying to get into this profession to begin with because they have this invisible barrier because they think it’s, you know, super high, they need to be expert coders because all we see in the movies are rule and command lines but that’s not reality. Reality is there’s a lot of risk roles that don’t require someone to know how to code.
David Spark
Now I know this is a completely absurd question, it’s like me asking, you know, could you become a doctor watching Trapper John, M.D. but let me go to you Roland, do you think there’s any education that one could get from watching a Hollywood movie that has cybersecurity elements in it?
Roland Cloutier
No, I mean you’re just taken away. Like I was just about to say it is most about as much factuality in educational material as being able to watch a, you know, a series Grays Anatomy.
David Spark
There you go.
Roland Cloutier
And be a doctor next week.
David Spark
You used a more current, a better cult show than I did.
Roland Cloutier
Yeah, not going to happen.
David Spark
No okay so let me throw to you, why do you think the physical and the cyber world are not converging cause again from this discussion everyone was like why are we still talking about this?
Roland Cloutier
Listen this is my third CSO position, a global CSO position as converge security leader, I wrote a book on it, a post grad book, you know, for universities and I think it comes down to two things and Steve kind of hit on it a little bit. The first is this true understanding of risk education. So how do you bring this conversation to the level of a COO or a CEO and talk about, you know, the totality of risk for an organization and what umbrella looks like and why it’s important to have this in a [INAUDIBLE] discussion when you’re talking about security risk in a privacy operation like issues that right, it’s hard to have the discussion if you yourself don’t get it or haven’t been educated. And so, and by the way, you know, companies have operated in certain ways and so they continue operating in certain ways and until they have a real bad problem they don’t know it’s broke so I fix it.
Roland Cloutier
So you have this lack of education at a senior executive level with regards to risks. The secondary is go find me some converge security experts. I mean I know of 10 programs worldwide and we’re talking about millions and millions of security practitioners and I know 10 global programs that have major converge programs where you have everything from cyber operations defense and integrated intelligence risk management and, you know, digital crimes and the converged corporate security components under one umbrella, that’s not a lot. You know they call it a unicorn. I think people can be trained to be both and you certainly have amazing people coming out of university and government today that, you know, have a great dual career that have done both and they can manage both.
Roland Cloutier
I think we’ve got to continue to train executive leadership in security for convergence and we have to get ahead of that risk curve with education with corporate executives.
You have a gifted and talented security officer
00:25:55:08
David Spark
This recording we’re actually running an AMA or an ask me anything on the r/cybersecurity subreddit, and here’s one of the questions that Avi Shua of Orca Security asked and he asks, “Which part of your role is science vs art? And Steve I’ll start with you. How many times, and again this is what Avi was asking, how many times do you try to perform educated analysis on the risks vs just use your expertise / intuition to make quick decisions. I get a feeling a lot is a lot because it’s so hard to often make educated analysis of risk. Where do you stand on this Steve?
Steve Tran
Absolutely I agree. I feel like it’s more of an art because there are certain things that are extremely difficult to quantify and if you can’t quantify something correctly what’s the point of even, you know, going down that analysis right. But then going back to our last discussion about you don’t converge risk and having an integrated risk management program, it’s about influencing right, making people feel comfortable hey this is the best, you know, pathway for the organization and here’s why and get everyone’s buy in, because it’s very difficult to force people to do something. If you have to have force someone I think you’re failing already right. They have to generally want to buy into it because it’s meaningful to them right, it resonates.
Roland Cloutier
So part of that is just knowing how to make someone who would come to the table and say hey, you know, you’re just trying to take over my job, blah blah blah, there’s a lot of friction there as in the last example but, you know, it could be completely fly with the awesome racing matrix and then people would be happy right because they understand, you know, that they have a piece of the pie and it’s a community effort. So. Believe it or not it’s like easier said than done.
David Spark
Let me say this, I have to assume and I’m going just quick answer from you Steve and then we’ll go to Roland, I have to assume you will love it if you could do a risk analysis and base all your decisions on that. I mean if in a perfect world wouldn’t that be what you would strive for yes?
Steve Tran
Oh yes absolutely but yeah unfortunately what we have to work with are different personalities, different perspectives and yeah how do you do risk communication in a way that resonates at all levels within the organization.
David Spark
Yeah and that’s even a great complication is, you know, you’re dealing with the communications not just trying to figure out if you can quantify or not. Roland where you stand on this sort of art versus science decision making?
Roland Cloutier
Apparently I’m the optimist because I think it’s more 75% science and 25% art. So, you know, if you work down like the OODA loop concept and how do you make decisions and I think this was probably how do you make fast risk decisions is probably what Avi was getting at when the question was asked. But, you know, if you break up the components of a decision into multiple areas, not just the risk assessment itself because you’re right there maybe some less measurable components to the risk and you may not be able to measure all risk the same but how you make that decisions, how you respond to things, questions about should we or should we not do this type of vulnerability management. Well what are the norms, you know. Why are we making decision on patch verse not patch? Why are we making decisions on in the middle of an incident of disrupting an enterprise environment or stopping something versus letting me go for intel and following it back upstream.
Roland Cloutier
Like all of those things are through years of training, execution, operations and making decisions or learning from other people’s decisions. These are technical specialties that are not gut feelings, these are learned attributes of a profession and you can break it down. I mean you may have risk things that you’re looking at, you may have standard bodies that you’re looking at, you may have incident response guidelines that, you know, you’re pulling into these decisions and the more and longer you have in exercises and practicing these through actual issues the better that goes into your OODA loop bank if you will and you can pull those back into making a scientifically sound decision and if you go for an after action report and you say why did I make that decision, often you can pull apart about 95% of it and say well when this happened before I knew that these three things were, you know, our gross business priority. Over here I’ve seen the risk assessment prior and this was the output to that.
Roland Cloutier
And so you’re able to go actually back and do that. So I think that 75% of the time when me and my peers make decisions in this space, it’s really based off the science of the technical, you know, previous work that we’ve done in our past.
David Spark
Does it and I also [INAUDIBLE] Roland you’re working for a much younger company than Steve is and the fact that it’s younger maybe you have a little bit of a leg up or an advantage in terms of not having to deal with so much legacy. What do you think? And Steve obviously pipe in cause it’s harder to do with risk management when you’ve got so much legacy going on.
Roland Cloutier
Yeah it’s true but there’s, you know, they’re more up to have standards and in a small newer organization that’s just dynamically growing, you’re catching up to deliver standards and policy and train people. So I, I think it’s a, you know, it’s a catch 22 for my sense especially in flatter environments, you know. You have to learn how to take a broader set of opinions into the discussion point right whereas in Steve’s world it might be a more confined command and control type of discussion with senior executives. So I think in either of these you have unique challenge you have to address but at the end of the day you really have to educate your senior leadership staff, your executive security teams on the critical components of their job that they have to know inside and out from a “science perspective” to be able to actually execute their job appropriately and you have to hold them accountable to it.
David Spark
Steve I want you to have the last thought on this because I did say that, you know, that being that you’re older that you would have legacy to deal with, do you think that calculates into the difficulty to do this?
Steve Tran
Oh yeah and you’re absolutely right and well one thing to keep in mind cause I totally, you know, agree with what Roland’s perspective is too, cause ultimately we all would love to make data-gen decisions too as well but, you know, it’s all about contacts because every organization will be different within their journey and it’s all about knowing where you are within your journey and then putting a plan together and starting from there because there is a one size fit all.
Hacker Clip
“We’re hackers. For us there’s no such thing as family and friends.”
David Spark
Do you believe that, there’s no such thing as family and friends? Hackers. I actually think quite the opposite and you see it in the movie they are actually friends although that’s the villain talking in that line right there. We’re going to wrap this thing up. I want to thank both Roland stepping in as the guest co-host for this very episode and Steve Tran, again this was long time coming. I’m sorry we couldn’t do this on person which was our original plan but I’m so thrilled that we’re here to at least do it virtually as well. I want to thank also our sponsor for this episode Code42, thank you so much for sponsoring us, again insider risk. If you want more on that go to code42.com.
David Spark
Now I want the two of you to have the closing lines and the question I have also for both of you is and that I have for all our guest is are you hiring? So any closing thoughts you’d like to have and making any pitches specifically if you’re looking for talent. Roland you first.
Roland Cloutier
I’ll start. 250 open positions in 19 different disciplines across multiple countries. If you’re looking.
David Spark
Oh just in cyber alone?
Roland Cloutier
Oh cyber risk, privacy and converge to everything from digital crimes to forensics people.
David Spark
250 positions, that’s phenomenal.
Roland Cloutier
Three new fusion centers going up, new intel division, I mean we’re rocking and rolling right now
David Spark
So all on like the career page on TikTok.com.
Roland Cloutier
Yep TikTok.com/careers, reach out on LinkedIn however you want to do it, you know. We’re looking for the best and the brightest to be mission centric and build our own security family.
David Spark
I got to assume, you know, given this is your third CISO play, this is a much different and much more exciting CISO play than you’ve had in the past yes?
Roland Cloutier
It is crazy. It is so dynamic and the technology is so, it’s thrilling. I mean I don’t use that word in, you know, cybersecurity too often but it is insane that, you know, the technology we’re seeing, the level of scope at scale and I have to tell you the level of expertise that is in it’s company to be able to deliver what we deliver on a daily basis is just amazing. So being the CSO who’s responsible for protecting it is like just the most amazing job I could’ve ever thought of.
David Spark
Well I see the users of TikTok driving this, driving the behavior to you guys to excel, so I mean I’m not just, you know, sitting there kissing your butt on this but I’m impressed with the product and how it’s sort of evolved and delivered over time. Very impressive.
Roland Cloutier
Thank you.
David Spark
Alright Steve I throw this to you as well. Are you hiring?
Steve Tran
I am. Check out the careers page MGM.com. Don’t have as many openings as Roland here. I mean I will have to say, you know, Roland I am very, you know, impressed with what you’ve done. I see how transparent you are, you know, I see your newsroom post on TikTok, you talk about the different programs that you support, you know, outside with education, frameworks and, you know, introducing your leads and what you do that level of transparency is very impressive because I don’t see it that often across many organizations and, you know, our job is already challenging as it is and you have an extra challenging, you know, going on and I just have to say Roland like, you know, I have a lot of respect for you and, you know, very, very impressive what you’re doing over there.
Roland Cloutier
Steve I appreciate it and it’s from guys like you and our peers in the industry that I, you know, get these great ideas that say how can you deliver the next opportunity for our practitioners and I appreciate guys like you getting on these shows, sharing, talking about the difficulties we have and working through it with each other. So I got to tell you it’s a very satisfying career.
David Spark
Roland do you have a TikTok channel?
Roland Cloutier
I am starting one up for October, obviously, cybersecurity month.
David Spark
Okay, yes.
Roland Cloutier
So you will see CSO rolling the same Twitter handle I have will be on TikTok.
David Spark
CISO Roland does it exist right now, can people actually register for it? Actually this will drop I think in November so yeah.
Roland Cloutier
Yeah it will be out there, it will be out there when this drops.
David Spark
Oh yeah so it will drop actually when cybersecurity October is over. So November 2nd is the drop date of this episode. Alright, well thank you very much Roland Cloutier who is the CISO of TikTok and also Steve Tran who is the CISO over at MGM Studios. This has been phenomenal. I’m so thrilled we were finally able to get together and do this, I greatly appreciate it and our audience as always, we greatly appreciate your contributions. I hope you like this special episode with all the clips from Hacker’s in it and if you haven’t seen the movie make sure you go see it. Thank you everybody for participating and listening to the CISO Security Vendor Relationship podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”